Bug 435759 (CVE-2008-0072) - CVE-2008-0072 Evolution format string flaw
Summary: CVE-2008-0072 Evolution format string flaw
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-0072
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=critical,source=vendorsec,repo...
Depends On: 435796 435797 435798 435799 435800 435801 435802 436080 436081 436082
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-03-03 18:38 UTC by Josh Bressers
Modified: 2019-06-08 12:28 UTC (History)
5 users (show)

Fixed In Version: 2.10.3-8.fc7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-03-06 16:58:47 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0177 normal SHIPPED_LIVE Critical: evolution security update 2008-03-05 10:23:04 UTC
Red Hat Product Errata RHSA-2008:0178 normal SHIPPED_LIVE Critical: evolution security update 2008-03-05 10:27:00 UTC

Description Josh Bressers 2008-03-03 18:38:30 UTC
Ulf Harnhammar of Secunia Research reported a format string flaw in the way
Evolution parses PGP encrypted messages.

It should be possible for a malicious mail message to abuse this flaw to execute
arbitrary code when a user open the mail message.

Acknowledgements:

Red Hat would like to thank Ulf Härnhammar of Secunia Research for finding
and reporting this issue.

Comment 4 Mark J. Cox 2008-03-04 09:58:59 UTC
Format string flaws are usually detected by FORTIFY_SOURCE which will notice
that the %n is from a writable string and abort.  But this wasn't happening when
testing this flaw.

On RHEL5, the user supplied format string is passed to em_format_format_error()
in evolution which calls g_strdup_vprintf from glib2.  Unfortunately
g_strdup_vprintf in glib2 uses vasprintf, and vasprintf is a function that is
not fortified.  (I'll file a feature request about that and see if we can't get
glibc to fortify vasprintf/asprintf etc.)

Comment 7 Tomas Hoger 2008-03-05 09:39:02 UTC
Public now on Secunia site, lifting embargo:

http://secunia.com/advisories/29057/
http://secunia.com/secunia_research/2008-8/

Comment 9 Fedora Update System 2008-03-05 17:39:13 UTC
evolution-2.10.3-8.fc7 has been submitted as an update for Fedora 7

Comment 10 Fedora Update System 2008-03-05 17:45:29 UTC
evolution-2.12.3-3.fc8 has been submitted as an update for Fedora 8

Comment 11 Fedora Update System 2008-03-06 16:37:51 UTC
evolution-2.10.3-8.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2008-03-06 16:38:11 UTC
evolution-2.12.3-3.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.